Does trusted partners include every internet link and server between them and their trusted partners? The main problem seems to be that they are sharing people's private information in an insecure, unencrypted format (plain text), using an insecure, unencrypted mechanism (http headers) with the internet at large. Isn't this a dereliction of their duty to protect the privacy of their customers' information?